2025 Medical Device Cybersecurity Index

22% of healthcare orgs have experienced cyberattacks on medical devices, with 75% affecting patient care. so, what next?

Cyberattacks Are Impacting Medical Devices and Impeding Patient Care

Data Reveals Most Vulnerable Healthcare Systems

Budgets Are Rising, But Confidence Still Lags

Cybersecurity Is Now a Procurement Prerequisite

Healthcare Buyers Want Transparency and Built-In Defense

Operational Technology Risks Are in Focus 12 Buyers Willing to Pay a Premium for Enhanced Protection

Reference:

https://runsafesecurity.com/whitepaper/medical-device-index-2025/

Comparing FDA's draft cybersecurity premarket guidance's and final guidance's highlights -III
The 2025 final guidance is a significant update from the 2023 draft. The key differences lie in:

  1. Incorporation of Section 524B for "Cyber Devices": The 2025 guidance explicitly includes the legal requirements from Section 524B of the FD&C Act, which mandates specific documentation for "cyber devices" in premarket submissions. This includes a required plan for postmarket vulnerability management, documentation of secure development processes, and a Software Bill of Materials (SBOM). The 2023 draft did not have this explicit legal mandate.
  2. Updated Quality System (QS) Regulation Alignment: The 2025 guidance provides updated information on the FDA's progress in aligning the QS regulation with ISO 13485, stating that a final rule has been issued with a future effective date. The 2023 draft only mentioned that rulemaking was in process.
  3. Explicit Definition of "Reasonable Assurance of Cybersecurity": The 2025 guidance explicitly defines "reasonable assurance of cybersecurity" as part of the FDA's determination of device safety and effectiveness, reinforcing its regulatory importance.

These are the core areas where the 2025 final guidance introduces significant updates and stricter requirements compared to the 2023 draft. (Gemini)

Comparing FDA's draft cybersecurity premarket guidance's and final guidance's highlights -II

The FDA's 2025 final guidance on premarket cybersecurity for medical devices, titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions", builds upon and finalizes the 2023 draft guidance with several key updates and clarifications. Here's a summary of the main differences:

🔑 Key Differences Between 2023 Draft and 2025 Final Guidance

1. Clarified Documentation Requirements

  • 2025 Final: Provides more detailed expectations for documentation in premarket submissions, including:
    • Cybersecurity Risk Assessment
    • Interoperability Considerations
    • Security Use Cases
  • 2023 Draft: Mentioned these elements but lacked the same level of specificity.

2. Secure Product Development Framework (SPDF)

  • 2025 Final: Emphasizes SPDF as a structured approach to integrating cybersecurity throughout the device lifecycle. It is now more clearly tied to Quality System Regulation (QSR) compliance.
  • 2023 Draft: Introduced SPDF but with less emphasis on its integration with QSR.

3. Legacy Device Considerations

  • 2025 Final: Adds more guidance on how manufacturers should address cybersecurity for legacy devices, especially in terms of interoperability and updateability.
  • 2023 Draft: Touched on legacy devices but lacked detailed direction.

4. Labeling and Transparency

  • 2025 Final: Strengthens recommendations for device labeling, including:
    • Software Bill of Materials (SBOM)
    • Cybersecurity controls available to users
    • Update and patching policies
  • 2023 Draft: Included SBOM but with less emphasis on user-facing transparency.

5. Threat Modeling and Testing

  • 2025 Final: Expands on expectations for threat modeling and security testing, including penetration testing and vulnerability scanning.
  • 2023 Draft: Mentioned these practices but did not elaborate on methodologies or expectations.

6. Alignment with Global Standards

  • 2025 Final: More explicitly aligns with international standards such as ISO/IEC 81001-5-1 and NIST guidance.
  • 2023 Draft: Referenced standards but with less integration. (co-pilot)

Comparing draft FDA's cybersecurity premarket guidance's and final guidance's highlights -I

Differences between the draft and final documents:

1. Document Titles and Issuance Dates:

  • Guidance-Device-Cybersecurity-Premarket.pdf: Issued on September 27, 2023.
  • GUI00001825-final-PremarketCybersecurity-2025.pdf: Issued on June 27, 2025, with updates reflecting the evolving landscape of medical device cybersecurity.

2. Updates and Revisions:

  • 2023 Document: Supersedes the 2014 guidance on the same topic.
  • 2025 Document: Updates the 2023 guidance to include new information and recommendations, reflecting changes in the regulatory and technological landscape.

3. Inclusion of Section 524B of the FD&C Act:

  • 2023 Document: Does not include specific references to section 524B of the FD&C Act.
  • 2025 Document: Includes detailed recommendations for complying with section 524B of the FD&C Act, which was added by the Food and Drug Omnibus Reform Act of 2022. This section requires manufacturers of cyber devices to provide specific cybersecurity information in their premarket submissions.

4. Cyber Devices:

  • 2023 Document: General guidance on cybersecurity for all medical devices.
  • 2025 Document: Adds a dedicated section (Section VII) specifically for cyber devices, detailing the requirements under section 524B of the FD&C Act, including plans and procedures, design and development processes, and the provision of a Software Bill of Materials (SBOM).

5. Terminology and Definitions:

  • 2023 Document: Uses general terminology related to cybersecurity in medical devices.
  • 2025 Document: Updates and expands the terminology section to include definitions specific to the requirements of section 524B of the FD&C Act, such as "cyber device," "critical vulnerabilities," and "uncontrolled risks."

6. Documentation Recommendations:

  • 2023 Document: Provides general recommendations for documentation in premarket submissions.
  • 2025 Document: Includes more detailed and specific documentation recommendations to comply with section 524B of the FD&C Act, including the need for a cybersecurity management plan, detailed security architecture views, and an SBOM.

7. Security Risk Management:

  • 2023 Document: Emphasizes the importance of security risk management processes, including threat modeling and cybersecurity risk assessment.
  • 2025 Document: Expands on these processes, providing more detailed recommendations and aligning with updated standards and regulations.

8. Labeling and Transparency:

  • 2023 Document: Discusses the importance of labeling and transparency in managing cybersecurity risks.
  • 2025 Document: Provides more detailed recommendations for labeling, including specific information that should be included to comply with section 524B of the FD&C Act.

9. Appendices:

  • 2023 Document: Includes appendices with detailed descriptions of security control categories, submission documentation for security architecture flows, and terminology.
  • 2025 Document: Updates and expands the appendices to include more detailed recommendations and align with the new requirements under section 524B of the FD&C Act.

These differences reflect the evolving nature of cybersecurity in medical devices and the need for updated guidance to address new regulatory requirements and technological advancements. ( with the help of prompt engineering and agents)

Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication

Date Issued: January 30, 2025  source: FDA site

The U.S. Food and Drug Administration (FDA) is raising awareness among health care providers, health care facilities, patients, and caregivers that cybersecurity vulnerabilities in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors (which are Contec CMS8000 patient monitors relabeled as MN-120) may put patients at risk after being connected to the internet.

Three cybersecurity vulnerabilities have been identified:

  • The patient monitor may be remotely controlled by an unauthorized user or not work as intended.
  • The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised.
  • Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information (PII) and protected health information (PHI), and exfiltrating (withdrawing) the data outside of the health care delivery environment.

These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device.

The FDA is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time. 

Recommendations for Patients and Caregivers  

  • Talk to your health care provider about whether your device relies on remote monitoring features. Remote monitoring means the device uses an internet connection to allow a health care provider to evaluate patient vital signs from another location (such as a remote monitoring system or central monitoring system).
    • If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor. 
    • If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This means unplugging the device’s ethernet cable and disabling wireless (that is, WiFi or cellular) capabilities, so that patient vital signs are only observed by a caregiver or health care provider in the physical presence of a patient. 
      • If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.   
  • Be aware the FDA is not aware of any cybersecurity incidents, injuries, or deaths related to this vulnerability at this time.
  • Report any problems or complications with your Contec CMS8000 patient monitor or Epsimed MN-120 patient monitor to the FDA. 

Recommendations for Health Care Providers

  • Work with health care facility staff to determine if a patient’s Contec CMS8000 patient monitor or Epsimed MN-120 patient monitor may be affected and how to reduce any associated risk.  
  • Read and follow the recommendations for patients and caregivers in this safety communication. 
  • Check the Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors for any signs of unusual functioning, such as inconsistencies between the displayed patient vitals and the patient’s actual physical state. 
  • Report any problems with your Contec CMS8000 patient monitor or Epsimed MN-120 patient monitor to the FDA. 

Recommendations for Health Care Facility Staff (including Information Technology (IT) and Cybersecurity Staff)  

  • Use only the local monitoring features of the device.
    • If your patient monitor relies on remote monitoring features, unplug the device and stop using it. 
    • If your device does not rely on remote monitoring features, unplug the device’s ethernet cable and disable wireless (that is, WiFi or cellular) capabilities. If you cannot disable the wireless capabilities, then continuing to use the device will expose the device to the backdoor and possible continued patient data exfiltration.
  • Review the Cybersecurity and Infrastructure Security Agency (CISA) “Mitigations” section in the vulnerabilities related advisory.  
  • Be aware, at this time there is no software patch available to help mitigate this risk.
  • Check the Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors for any signs of unusual functioning, such as inconsistencies between the displayed patient vitals and the patient’s actual physical state. 
  • Report any problems with your Contec CMS8000 patient monitor or Epsimed MN-120 patient monitor to the FDA.

Device Description

Patient monitors are used in health care and home settings for displaying information, such as the vital signs of a patient, including temperature, heartbeat, and blood pressure.

Cybersecurity Vulnerabilities May Affect Contec CMS8000 and Epsimed MN-120 Patient Monitors

Three cybersecurity vulnerabilities have been identified, whose potential impacts fall into two main categories. A vulnerable device could be exploited to:

  • Deny access to the device, such as cause the device to crash and be unable to work as intended.
  • Take over the device to remotely control it to perform unexpected or undesired actions, such as corrupting the data.

The vulnerabilities could allow all vulnerable Contec and Epsimed patient monitors on a given network to be exploited at the same time.

Additionally, the software on the patient monitors includes a backdoor. “Backdoor” is the term used to describe hidden functionality that device users are not told about and can allow unauthorized actors to bypass cybersecurity controls. The unauthorized actors could access and potentially manipulate the device. Given the backdoor, the device and/or the network to which the device has been connected may have been or could be compromised.

Also, the FDA has authorized these patient monitors only for wired functionality (that is, ethernet connectivity). However, the FDA is aware that some patient monitors may be available with wireless (that is, WiFi or cellular) capabilities without FDA authorization.

The Cybersecurity and Infrastructure Security Agency (CISA) has identified that once the patient monitor is connected to the internet, it begins gathering and exfiltrating (withdrawing) patient data outside of the health care delivery environment, including when the device is used in a home setting. The FDA and CISA continue to work with Contec to correct these vulnerabilities as soon as possible.

Unique Device Identifier (UDI)

The unique device identifier helps identify individual medical devices, including patient monitors, sold in the United States from manufacturing through distribution to patient use. The UDI allows for more accurate reporting, reviewing, and analyzing of adverse event reports so that devices can be identified, and problems potentially corrected more quickly.

You can identify the devices affected by checking the unique device identifier (UDI), which is a unique numeric or alphanumeric code that generally includes a device identifier (DI) that identifies the labeler and the specific version or model of a device.

Brand NameVersion or ModelUDI-DI
ContecCMS8000 06945040100034
EpsimedMN-120N/A

FDA Actions 

The FDA takes seriously any reports of cybersecurity vulnerabilities in medical devices and will continue to work with Contec and CISA to correct these vulnerabilities as soon as possible.

The FDA will continue to assess new information concerning the vulnerabilities and will keep the public informed if significant new information becomes available.

Read more about medical device cybersecurity.

Reporting Problems with Your Device

If you think you had a problem with a Contec CMS8000 or Epsimed MN-120 patient monitors, the FDA encourages you to report the problem through the MedWatch Voluntary Reporting Form.

Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.